Data Processing Agreement (GDPR compliant)

1. Scope and subject matter of the agreement

This Data Processing (“DPA”) reflects the parties’ agreement with respect to the terms
governing the processing of Personal Data under Scalingo’s Terms of Service (the “TOS”). This
DPA is an amendment to the TOS and is effective upon its incorporation into the TOS, which
incorporation may be specified in an Order or an executed amendment to the TOS. Upon its
incorporation into the TOS, the DPA will form a part of the TOS.

2. Definitions

In this agreement:

(a) « Services » means the services provided to the Customer under the TOS ;

(c) « Customer », « controller » or « you » means the natural or legal person, public
authority, agency or other body which, alone or jointly with others, determines the
purposes and means of the processing of personal data;

(d) « Processor », « Scalingo » or « we » means a natural or legal person, public authority,
agency or other body which processes personal data on behalf of the controller;

(e) « Process/processing » means any operation or set of operations which is performed on
personal data or on sets of personal data, whether or not by automated means, such as
collection, recording, organisation, structuring, storage, adaptation or alteration,
retrieval, consultation, use, disclosure by transmission, dissemination or otherwise
making available, alignment or combination, restriction, erasure or destruction ;

(f) « Sub-processor » or « Sub-contractor » means a third party subcontractor engaged by
the processor which, as part of the subcontractor’s role of delivering the Services,
Processes Personal Data of the Customer ;

(g) « Technical and organisational security measures » means those measures aimed to
ensure a level of security appropriate to the risk including inter alia the
pseudonymisation and encryption of personal data, the ability to ensure the ongoing
confidentiality, integrity, availability and resilience of processing systems and services,
the ability to restore the availability and access to personal data in a timely manner in
the event of a physical or technical incident, a process for regularly testing, assessing
and evaluating the effectiveness of technical and organisational measures for ensuring
the security of the processing.

(h) “Data Protection Laws” means all laws and regulations, including laws and regulations
of the European Union, the European Economic Area and their Member states,
applicable to the Processing of Personal Data under the Agreement.

3. Application of this agreement

This agreement shall apply to:

a) all Data sent from the date of this agreement by the Customer to Scalingo for
Processing;

b) all Data accessed by the Scalingo on the authority of the Customer for Processing from
the date of this agreement; and

c) all Data otherwise received by Scalingo for Processing on the Customer’s behalf;

in relation to the Services.

4. Categories of Personal Data and purpose of the Personal Data Processing

In order to execute the Agreement, and in particular to perform the Services on behalf of
Customer, Customer authorizes and requests that Scalingo Process the following Personal Data:
Customer Information : information that we may collect from your use of the Scalingo web sites
and your interactions with us offline such as :

Financial information : credit card’s number and billing information (tax id, number of
the payer VAT, billing address, billing email, where invoices are sent) ; Credit card
number are handled by Stripe (our payment gateway), by Paypal, or other types of
payement ; Scalingo only charges your credit card for payments.

Employment contact details, including : employer name, job title and function, business
contact details;
Scalingo deal with customer information according to the terms of our general privacy policy.

Services Data : data that resides on Scalingo, customer or third-party systems to which Scalingo
has provided access to perform services.

Data stored and processed by users, such as: source code for the application, databases
that the applications use, files generated by applications, the history of operations
performed by users.

Log File Information: Three types of logs are saved by Scalingo’s system :
Connection logs which are essentially logs from each request to each application. These
connection logs may include information such as the web request, Internet Protocol
(“IP”) address, browser type, referring / exit pages and URLs, number of clicks, domain
names, landing pages, pages viewed and other such information.
The second type of logs are application logs, which are produced by each application of
our customers. Scalingo does not have the control on the content of these logs. The
control of application logs as Personal Data remains with the Customer.
Timeline event logs which are a record of a alerts and notifications that can help Scalingo to
identify and diagnose the source of current system problems and help predict future problems.

Other contact information about the customer and employees, for example through its
web sites, as part of that interaction.

Scalingo processes Customer information according to the terms of its Privacy policy, and treats
services data as confidential in accordance with the terms of your order for services.

Categories of Data Subjects: Data subjects include Customer’s representatives and end users,
such as employees, job applicants, contractors, collaborators, partners, and customers of the
Customer. Data subjects also may include individuals attempting to communicate or transfer
Personal Data to users of the Services.

5. Responsability of Scalingo

Scalingo shall Process Personal Data solely for the provision of the Services, and agrees to :

(a) Process and use Personal Data for the purposes set forth in this Agreement or only on
documented instructions from the Customer and for no other purpose except with the
express prior written consent of the Customer, or

(b) Not divulge Data to third parties except to those of its employees, agents and
subcontractors who are engaged in the Processing of the Data and are subject to the
binding obligations or except as may be required by any law or regulation;

(c) Implement appropriate technical and organizational measures to safeguard the Data
from unauthorized or unlawful Processing or accidental loss, destruction or damage,
and that having regard to the state of technological development and the cost of
implementing any measures, such measures shall ensure a level of security appropriate
to the harm that might result from unauthorized or unlawful processing or accidental
loss, destruction or damage and to the nature of the Data to be protected;

(d) Inform the Customer as soon as possible in the event of the exercise by Data Subjects
of any of their rights under the data protection laws in relation to the Data, and, if
necessary, assists the Customer in complying with the obligation to respond to those
requests in consideration of the undertakings provided in article 7 ;

(e) Not Process or transfer the Data outside of the European Union except with the express
prior written authority of the Customer and ensure that such transfers are made in
compliance with appropriate.

6. Responsability of the Customer

The Service Customer, as Data controller, must accept responsibility for abiding by the
applicable data protection legislation. Notably, the Customer has an obligation to assess the
lawfulness of the processing of personal data stored on the Plateform.

The Customer agrees that it shall ensure compliance at all times with the applicable data
protection law, and, in particular, the Customer shall ensure that any disclosure of Personal
Data made by it to Scalingo is made with the data subject’s consent or is otherwise lawful.
The control of Personal Data remains with the Customer, and as between the Customer and
Scalingo, the Customer will at all times remain the Data controller for the purposes of the
Services, the TOS, and this Data Processing Agreement. The Customer is responsible for
compliance with its obligations as Data controller under the applicable data protection Law, in
particular for justification of any transmission of Personal Data to Scalingo (including providing
any required notices and obtaining any required consents), and for its decisions concerning the
Processing and use of the data.

7. Rights of Data Subject

Scalingo will grant Customer electronic access to the Platform environment that holds Personal
Data to permit Customer to delete, release, correct or block access to specific Personal Data
or, if that is not practicable and to the extent permitted by applicable law, follow Customer’s
detailed written instructions to delete, release, correct or block access to Personal Data.

Scalingo shall pass on to the Customer any requests of an individual data subject to delete,
release, correct or block Personal Data Processed under the Agreement.

8. Cross Border and Onward Data Transfer

Scalingo treats all Personal Data in a manner consistent with the requirements
of the applicable data protection Law and this Data Processing Agreement in
all locations globally.

With respect to Personal Data stored by Scalingo in data centers in the EEA shall ensure
compliance its Subprocessors with the requirements of the applicable data protection law as
follows:

(i) Scalingo has entered into contracts with Subprocessors which provide that the
Subprocessor will undertake data protection and confidentiality obligations
consistent with applicable data protection laws;

(ii) further, where a Subprocessor processes Personal Data in or from a country that
has not received an “adequacy” finding, Scalingo will require the Subprocessor to
execute Model Clauses incorporating security requirements consistent with those
of this DPA.

When Scalingo acts as a Data Processor

Data is stored by Scalingo in data centers in different locations and operated
by different providers depending on the region chosen by customers when they
provisionned their services. Region can be osc-fr1, agora-fr1.

For osc-fr1 region

Data is stored by Scalingo in data centers located in FRANCE managed by
its subcontractor Outscale in their eu-west-2 region.

Outscale’s OSU storage services are located in France in Outscale eu-west-2
region and provided to Scalingo for databases backups and logs backups. To
learn more about Outscale’s Privacy Policy, please contact them by mail
personal-data@outscale.com or at:

Outscale DPO
1 rue Royale
319 bureaux de la Colline
92210 Saint-Cloud

For agora-fr1 region

Data is stored by Scalingo in data centers located in FRANCE managed by
its subcontractor AGORA HOSTING.

OVH France backup storage services are located in France and provided to
Scalingo for databases backups (except Elasticsearch databases backups) and
logs backups. To learn more about OVH’s Privacy Policy, please contact them by
mail cil@ovh.net or at:

OVH Siège social :
2 rue Kellermann
59100 Roubaix – France

Amazon Web Services S3 (Paris region) storage services are located in France
and are provided to Scalingo for databases backups (only Elasticsearch
databases backups). To learn more about AWS’s Privacy Policy, please contact them at:

When Scalingo acts as a Data Controller

Analytics

With respect to data processed and stored by its subcontractor Intercom, Inc.
in data
centers in the United States of America for analytics purposes when you visit
our website or
use or product, Scalingo shall ensure compliance to Process Personal Data
originating from the
European Economic Area (EEA) and/or Switzerland according to the relevant
EU-US Privacy
Shield Principles.

Intercom, Inc. complies with the EU-US Privacy Shield Framework as set forth by the US
Department of Commerce regarding the collection, use, and retention of personal information
from European Union member countries. Intercom, Inc. certifies that it adheres to the Privacy
Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity
and Purpose Limitation, Access, and Recourse, Enforcement and Liability. If there is any conflict
between the policies in this privacy policy and the Privacy Shield Principles, the Privacy Shield
Principles shall govern. To learn more about the Privacy Shield program, and to view
INTERCOM’S certification page, visit privacyshield.gov.

Payment Gateway

Stripe’s services in Europe are provided by a Stripe affiliate—Stripe
Payments Europe Limited (“Stripe Payments Europe”)—an entity located in Ireland and subject
to European law. In providing Stripe Services, Stripe Payments Europe transfers personal data
to Stripe, Inc. in the US. To ensure the adequate protection of personal data, Stripe uses the
European Commission’s Standard Contractual Clauses (“Model Clauses”) to allow for the lawful
transfer of such data under the EU Data Directive. These Model Clauses cover all transfers of
EU personal data between Stripe Payments Europe and Stripe, Inc., including user data and
end-customer cardholder data. To learn more about the Stripe data transfers or to request a
copy of their Model Clauses, please contact them at eudatatransfers@stripe.com.

9. Subprocessing

Scalingo shall not subcontract any of its processing operations performed on
behalf of the Customer under the Agreement and the TOS without the prior
written consent of the Customer.

Where Scalingo subcontracts its obligations under the Agreement, with the consent of the
Customer, it shall do so only by way of a written agreement with the subprocessor which
imposes the same obligations on the subprocessor as are imposed on Scalingo under the
Agreement. Where the subprocessor fails to fulfil its data protection obligations under such
written agreement Scalingo shall remain fully liable to the Customer for the performance of the
subprocessor’s obligations under such agreement.

The Customer as Data controller may request that Scalingo audit the Subprocessor or provide
confirmation that such an audit has occurred (or, where available, obtain or assist Data
Controller in obtaining a third-party audit report concerning Subprocessor’s operations) to
ensure compliance with such obligations. The Controller also will be entitled, upon written
request, to receive copies of the relevant terms of Scalingo’s agreement with Subprocessors
that may process Personal Data, unless the agreement contains confidential information, in
which case the Scalingo may provide a redacted version of the agreement.

The provisions relating to data protection aspects for subprocessing of the contract referred to
in paragraph 1 shall be governed by the law of the Member State in which the Customer is
established.

10. Technical and Organizational Measures

When Processing Personal Data on behalf of Customer in connection with the Services, Scalingo
shall ensure that it implements and maintains compliance with appropriate technical and
organizational security measures for the Processing of such data. Accordingly, Scalingo will
implement the following measures:

a) To prevent unauthorized persons from gaining access to data processing
systems in which Personal Data are Processed (physical access control), Scalingo shall take
measures to prevent physical access, such as security personnel and secured buildings
and factory premises.

b) To prevent data processing systems from being used without
authorization (system access control), the following may, among other controls, be applied depending upon the particular Services ordered: authentication via passwords and logging of access on several levels.

For Cloud Services hosted at the Scalingo: (i) logical access to the data centers is restricted and protected by firewall/VLAN; and (ii) the following security processes are applied: centralized logging and alerting, and (iii) firewalls.

c) To ensure that persons entitled to use a data processing system only
have access to the
Personal Data to which they have privilege of access, and that Personal Data cannot be
read, copied, modified or removed without authorization in the course of Processing
and/or after storage (data access control), Personal Data is accessible and manageable
only by properly authorized staff, direct database query access is restricted, and
application access rights are established and enforced.

In addition to the access control rules set forth above, Scalingo implements an access policy under which Data Controller controls access to its Cloud Services environment and to Personal Data and other data by its authorized personnel.

d) To ensure that Personal Data cannot be read, copied, modified or
removed without
authorization during electronic transmission or transport, and that it is possible to check
and establish to which entities the transfer of Personal Data by means of data
transmission facilities is envisaged (transmission control), Scalingo will comply with the
following requirements: Except as otherwise specified for the Cloud Services, transfers
of data outside the Service environment are encrypted (HTTPS). The content of
communications (including sender and recipient addresses) sent through some email
or messaging services may not be encrypted once received through such services. Data
Controller is solely responsible for the results of its decision to use non-encrypted
communications or transmissions.

e) To ensure that it is possible to check and establish whether and by
whom Personal Data
have been entered into data processing systems, modified or removed (input control),
Scalingo will comply with the following requirements: Personal Data source is under the
control of the Customer, and Personal Data integration into the system is managed by
secured file transfer (i.e., via web services or entered into the application) from the
Customer.

f) To ensure that Personal Data is protected against accidental
destruction or loss: backups are taken on a regular basis; backups are encrypted and are secured.

g) To ensure that Personal Data which is collected for different purposes
may be Processed
separately, data from different Data Controllers’ environments is logically segregated
on Scalingo’s systems.

11. Audit Rights

The Customer may audit Scalingo’s compliance with the terms of the Agreement and this Data Processing Agreement up to once per year.

The Customer may perform more frequent audits of the Service computer systems that Process
Personal Data to the extent required by laws applicable to the Customer. If a third party is to
conduct the audit, the third party must be mutually agreed to by both parties and must execute
a written confidentiality agreement acceptable to Scalingo before conducting the audit.

To request an audit, the Customer must submit a detailed audit plan at least 4 weeks in advance
of the proposed audit date describing the proposed scope, duration, and start date of the audit.
Scalingo will review the audit plan and provide Data Controller with any concerns or questions
(for example, any request for information that could compromise Scalingo’s security, privacy,
or employment policies).

The audit reports are Confidential Information of the parties under the terms of the Agreement. Any audits are at the Data Controller’s expense.

Any request for Scalingo to provide assistance with an audit is considered a separate service if
such audit assistance requires the use of different or additional resources. Scalingo will seek
the Data Controller’s written approval and agreement to pay any related fees before
performing such audit assistance.

12. Incident Management and Breach Notification

Scalingo evaluates and responds to incidents that create suspicion of unauthorized access to or
handling of Personal Data.

The Customer is informed of such incidents and, depending on the nature of the activity,
defines escalation paths and response teams to address those incidents. Scalingo will work with
the Customer, with the appropriate technical teams and, where necessary, with outside law
enforcement to respond to the incident. The goal of the incident response will be to restore
the confidentiality, integrity, and availability of the Services environment, and to establish root
causes and remediation steps.

Scalingo operations staff is instructed on responding to incidents where handling of personal
data may have been unauthorized.

Scalingo shall notify the Customer without undue delay after becoming aware of a personal
data breach. Scalingo shall promptly investigate any security breach and take reasonable
measures to identify its root cause(s) and prevent a recurrence. As information is collected or
otherwise becomes available, unless prohibited by law, Scalingo will provide Data Controller
with a description of the security breach, the type of data that was the subject of the breach,
and other information Data Controller may reasonably request concerning the affected
persons. The parties agree to coordinate in good faith on developing the content of any related
public statements or any required notices for the affected persons.

13. Legally Required Disclosures

Except as otherwise required by law, Scalingo will promptly notify the Customer of any
subpoena, judicial, administrative or arbitral order of an executive or administrative agency or
other governmental authority (“demand”) that it receives and which relates to the Personal
Data Scalingo is Processing on Customer’s behalf. At Customer’s request, Scalingo will provide
reasonable information in its possession that may be responsive to the demand and any
assistance reasonably required for the Customer to respond to the demand in a timely manner.
The Customer acknowledges that Scalingo has no responsibility to interact directly with the
entity making the demand.

14. Obligation after the termination of personal data processing services

The parties agree that on the termination of the provision of data processing services, Scalingo
will make available for retrieval or otherwise will return Customer’s Personal Data stored in the
Platform environment, unless legislation imposed upon the parties prevents it from returning
or destroying all or part of the personal data transferred. In that case, the parties warrant that
it will guarantee the confidentiality of the personal data transferred and will not actively
process the personal data transferred anymore.

15. Governing law

This agreement will be governed by the law of the Member State in which the Customer is
established.